Picture this: it’s your first week at work, you just started working as a front desk manager at a major tech company. The boss is out of town for the week, attending a few important business meetings on a cruise. The day starts off pretty slow, not many people come in. the people who do check in and you give them directions to where they need to go. One man, dressed in a blue jumpsuit and carrying a toolbox approaches the desk.
“Hey! I’m [insert generic name] from [local tech company], I was sent by the boss to go do maintenance on server room 13. Are you the new front desk manager?”
Hesitantly, you reply back with a yes. It’s a bit off-putting that this dude knows you’re new, but you continue.
“I was not told of any maintenance being performed today, what’s wrong with that server room?”
“Well see, I’m actually a close friend of [insert boss name here] and he called me yesterday before he left on his cruise. Apparently, some of the wiring is starting to corrode and he asked my company to check it out. He told me that there would be a new desk manager, and it would be good to introduce myself.”
You sit back and analyze the situation at hand. This guy must know your boss if he knows about the cruise, he didn’t tell many people he was going to be out of office. He knows that you’re new, and he looks like he knows what he’s doing. He also has prior knowledge of the building, so it’s not like he’s particularly new. Your boss is currently unable to take calls, so confirmation isn’t entirely possible at the moment. Hesitantly, you let him in, not knowing that this is actually a social engineer and the server room being broken was bullshit.
While this sounds far fetched, this was a real attack that is actually very common (the way it was described above was fictionalized a bit, but the attack is generally the same as its real-world counterpart.). In this instance, the social engineer obviously needed some form of interaction with the CEO or one of his close assistants, but the only private knowledge he needed to know was that the boss was leaving work, how he was leaving, and the new front desk manager. These details require a bit of luck to obtain, but it is one out of a million different attack vectors that can be used to infiltrate a building. Everything else for this attack could have been obtained very easily. The blue jumpsuit could have been a costume. The toolbox could have just been a regular old toolbox. Prior knowledge of the server room could have been obtained in a few ways. One simple way that he could have gotten this info is to have an assistant walk into the building and ask for the bathroom. Using a hidden camera, that person can then explore the building for a limited amount of time and gain valuable knowledge of the layout. Maybe it wasn’t server room 13, but a room much closer to access. All it takes is a tiny bit of exploring to gain enough knowledge to formulate a plan of attack. With physical access to the building, all kinds of things are possible. The attacker has the ability to try and crack wifi access points, plant USB’s infected with malware, and if there are any unsecured computers accessible, they very well could compromise the entire system. Social engineering isn’t just about exploiting people, but also physical security. Remote attacks are one thing, but having physical access to a machine you’re trying to break into makes the entire process 1000 times easier. This is part 2 of the social engineering series, which will go over, as the title suggests, actual social engineering attacks that have happened in the real world.
Sources: “The art of human hacking”, by Christopher Hadnogy, thinking like a social engineer (story modified slightly)
The Clinton campaign
March 21st, 2016. Russian attackers gained access to John Podesta’s personal email address, stealing 50 thousand plus confidential emails relating to Hillary Clinton’s presidential campaign. One month later, the emails were sent to Wikileaks. 3 months later, on October 17, 2016, Wikileaks published the emails to the public. This attack proved to be a very crippling blow to Clinton’s campaign and put her under legal fire from a lot of different sources. How did such a devastating breach happen, you may ask? It was actually a very simple attack, one that was outlined in the first article, actually. To keep it short and simple: John Podesta was phished. A high ranking politician, falling for one of the most basic and rudimentary social engineering attacks? As stated in the previous article, a staggering number of phishing attempts end up being successful. More often than not, they cause a lot of damage. This attack was no exception. Russian hackers actually used one of the most common impersonation tactics as well: A Google employee. On March 19th, 2016, Russian hackers sent John Podesta and his team a series of emails stating that their Gmail account was potentially compromised, and required a password change to maintain security. The link was designed to look like a legitimate google link, and was an exact clone of the Gmail login webpage. The first 29 of the emails were ignored. But eventually, one email hit: and that was all it took to compromise the entire campaign. From the original compromised account, several other employees were targeted, and eventually the team’s DCCC ( Democratic Congressional Campaign Committee) network. From there, a total of 33 computers were infected and used as relay points to steal the confidential information. An alleged 130 or so employees were targeted in this attack, and nearly all of the breaches were through spear phishing. With access to John Podesta’s personal email and the team’s network, a good few gigabytes of data was extracted and exposed to the public. Keep in mind, this entire attack started with a single compromised account. Someone somewhere along the lines slipped up, and opened the door for thousands of emails and confidential data to be leaked. One mistake is all it takes to cripple a company or even a singular person. The real damage here was the potential effects that this attack had on the presidential campaign. While this may not be the cause of the outcome of the election, it did certainly influence plenty of voters, which could have changed the outcome of the election entirely, and therefore, changing the course of the future for the US.
2 factor authentication exploitation
2 factor authentication is regarded as one of the best and most secure ways to make sure that your account will not be compromised. This is 100 percent true, actually. Having to confirm every time a login is made or a password request is made is pretty much the ultimate security measure you can take. So why is this on the list of social engineering attacks? Simple: most breaches are caused by human error, not system failure. This remains true for 2 factor authentication.
The way two factor authentication works is once it’s enabled, any login attempt or password request change, a notification containing a confirmation code is sent to your method of authentication. This can include third-party apps, SMS verification, VoIP verification, and for some services, a notification will show directly on the device chosen for the authentication process. Each has its advantages and drawbacks, and its own security flaws. While other methods can be targeted in this attack, SMS verification is usually the one that is sought after the most, and it just so happens to be the most common form of 2 factor authentication.
The goal of the attack follows the same pattern as most phishing attacks: the hacker tries to convince the victim that someone is trying to access their account, pretends to be an employee of the service that they are trying to breach, and steals the account/credentials through the person directly. The scariest part of this attack, however, is that the attacker doesn’t need to have your password to use this attack. Just knowing the victim uses 2 factor authentication, a phone number, and knowing the victim is uneducated on this type of attack is enough information to successfully perform it. What the hacker is looking for is to purposely trigger the reset password function. Now normally, without 2 factor authentication, (2fa for short) the victim is usually notified via email to confirm they want to reset the password. This also requires the user to input their old passwords in most cases. This is not the case with 2fa. To reset the password, the user only needs the 2fa code. Or, for a hacker, all he needs is this code to compromise and steal the account. Once the password reset has been triggered, the attacker will call the victim using a spoofed number and inform them that someone is trying to access their account. By now, the victim would have already gotten the code that they didn’t request, so obviously, the attacker isn’t lying. The goal for the attacker is to convince the victim to hand over their 2fa code, usually to “confirm” their identity. The moment the attacker receives this code, the password is changed, and the victim is locked out. The only way to recover the account at this stage is to use recovery emails/phone numbers, and if those aren’t available, the account is usually as good as gone. In some cases with certain companies like Google, you can contact customer support directly and provide proof of ownership to get the account back. But be warned, most people who use this tactic aren’t dull people and will usually have a plan of attack, moving swiftly to extract the data they desire from the account. If it is a google account that is compromised, the attacker has access to loads of confidential information, and even worse, email accounts that are usually tied to other social media accounts that can all be compromised through that breach. Most people who use Google services store huge amounts of data onto them, making them incredibly valuable targets for attackers. This attack can be applied to any sort of service that uses 2 factor authentication.
The thing that connects these three attacks together is that they all use some form of impersonation to help extract the data to reach their goal. Social engineering is an art that takes many different forms, but in each attack, the goal is to extract confidential data. The only proper counter to social engineering is knowledge. Information is not only the greatest weapon, but also the strongest defense. Being able to spot a social engineering attack is key to preventing data breaches. Social engineering is an ever growing and changing field, and new methods are developed every day. Always keep learning. Be aware and stay safe. Till next time,